Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
>That's definitely the cable modem's NAT getting confused. If you can get the >phones to randomize their source ports on their OpenVPN traffic, that might >resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, >specifying "lport 0" >in the config will make it choose a random port. I'm not >sure if that's configurable for the Yealink phones though. We disable that >automatically in our OpenVPN client export for Yealink because they didn't >support it at least up until recently. >If you can change the modem to bridge mode to pass through the public IP to a >router of some sort that will properly handle that circumstance, it'll resolve >that. That might be hit or miss with consumer-grade routers. A completely >default pfSense >config will work fine in that circumstance, as it'll >randomize the source ports on its own so the phones don't have to. Thanks Chris, I've emailed Yealink support but it seems they are "off" until mid-next week (Chinese New Year). Not sure what to do, purchase a 3rd party router to see if solves the problem or if I should wait to see what Yealink's answer is first. Reading up on the modem seems like bridge mode is a little problematic... maybe a call to the cable provider first to see options. Thanks Again, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
On Tue, Feb 17, 2015 at 11:13 PM, Chuck Mariotti wrote: >>Think you forgot the logs. That should be enough of a summary to have a good >>idea though. > >>What's the firewall/router/NAT device on the network where the 3 phones >>reside? That sounds like what could happen with a NAT device that doesn't >>handle UDP well. Some consumer-grade routers and some NAT implementations >>built into >DSL/cable modems can have problems handling long-lived UDP >>connections especially where multiple devices are being NATed out to a single >>destination IP and port. > > And here is the log below... argh. > The devices are behind a 256Mbit cable modem... Any suggestions on how to > resolve if that is the case? 3rd party router? > > Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 > send_push_reply(): safe_cap=940 > Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, > IPv6=(Not enabled) > Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer > Connection Initiated with [AF_INET]172.172.172.66:1086 > Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 > send_push_reply(): safe_cap=940 > Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: > pool returned IPv4=10.9.12.18, IPv6=(Not enabled) > Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer > Connection Initiated with [AF_INET]172.172.172.66:1194 > Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: > local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0] > Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth > Error: TLS object CN attempted to change from 'Phone-Ext212' to > 'Phone-Ext211' -- tunnel disabled > Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth > Error: TLS object CN attempted to change from 'Phone-Ext211' to > 'Phone-Ext212' -- tunnel disabled That's definitely the cable modem's NAT getting confused. If you can get the phones to randomize their source ports on their OpenVPN traffic, that might resolve. I'm not sure if that's possible on those phones. In stock OpenVPN, specifying "lport 0" in the config will make it choose a random port. I'm not sure if that's configurable for the Yealink phones though. We disable that automatically in our OpenVPN client export for Yealink because they didn't support it at least up until recently. If you can change the modem to bridge mode to pass through the public IP to a router of some sort that will properly handle that circumstance, it'll resolve that. That might be hit or miss with consumer-grade routers. A completely default pfSense config will work fine in that circumstance, as it'll randomize the source ports on its own so the phones don't have to. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
>Think you forgot the logs. That should be enough of a summary to have a good >idea though. >What's the firewall/router/NAT device on the network where the 3 phones >reside? That sounds like what could happen with a NAT device that doesn't >handle UDP well. Some consumer-grade routers and some NAT implementations >built into >DSL/cable modems can have problems handling long-lived UDP >connections especially where multiple devices are being NATed out to a single >destination IP and port. And here is the log below... argh. The devices are behind a 256Mbit cable modem... Any suggestions on how to resolve if that is the case? 3rd party router? Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 send_push_reply(): safe_cap=940 Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, IPv6=(Not enabled) Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer Connection Initiated with [AF_INET]172.172.172.66:1086 Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 send_push_reply(): safe_cap=940 Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: pool returned IPv4=10.9.12.18, IPv6=(Not enabled) Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer Connection Initiated with [AF_INET]172.172.172.66:1194 Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0] Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth Error: TLS object CN attempted to change from 'Phone-Ext212' to 'Phone-Ext211' -- tunnel disabled Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth Error: TLS object CN attempted to change from 'Phone-Ext211' to 'Phone-Ext212' -- tunnel disabled Feb 17 19:49:31 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:27 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:25 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:20 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:18 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:18 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:15 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:09 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:05 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:49:01 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:57 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:55 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:50 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:48 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:48 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 19:48:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 17 19:48:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [3] Feb 17 16:35:45 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 send_push_reply(): safe_cap=940 Feb 17 16:35:42 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.18, IPv6=(Not enabled) Feb
Re: [pfSense] Fwd: Running Out of /var
On Mon, Feb 16, 2015 at 6:35 AM, Thomas Guldener wrote: > $ ls -l /var/dhcpd/var/db > total 33728 > -rw-r--r-- 1 dhcpd _dhcp 0 Feb 16 12:50 dhcpd.leases > -rw-r--r-- 1 root _dhcp 1193 Feb 16 12:50 dhcpd.leases~ > -rw-r--r-- 1 dhcpd _dhcp 28661 Feb 16 13:11 dhcpd6.leases > -rw-r--r-- 1 dhcpd _dhcp 17203155 Feb 16 13:11 dhcpd6.leases~ Wow, that is a huge dhcpd6.leases~ file. You happen to make note of its contents before disabling? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
On Tue, Feb 17, 2015 at 9:50 PM, Chuck Mariotti wrote: > I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a > separate network… all phones are OpenVPNing into pfSense box at datacenter… > then using a phone system through the OpenVPN connection. > > The problematic location keeps having issues with phones not receiving calls > or making calls… as well as call quality issues. Rebooting the phones solves > the problems. > > The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)… > as well as Auth/Decript errors (packet HMAC authentication failed). Logs are > below. Think you forgot the logs. That should be enough of a summary to have a good idea though. What's the firewall/router/NAT device on the network where the 3 phones reside? That sounds like what could happen with a NAT device that doesn't handle UDP well. Some consumer-grade routers and some NAT implementations built into DSL/cable modems can have problems handling long-lived UDP connections especially where multiple devices are being NATed out to a single destination IP and port. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Suddenly getting pfi_table_update errors
On Tue, Feb 17, 2015 at 10:22 PM, Bryan D. wrote: > I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 > GB of memory that always shows <50% used. > > This setup has normally been reliable but, since upgrading to 2.1.5, today is > the 4th time I've run into a problem after making changes to some aliases. > For some reason that I've been unable to see much pattern to, pfSense will > suddenly report a rash of errors similar to: > --- > [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument > - The line in question reads [0]: ] > --- > and/or an error indicating that it can't allocate memory (but there's over > 50% reported as being available). > > > When this happens, the following kind of error will occur during the reboot > while first configuring the firewall ... > --- > pfi_table_update cannot set new addresses into table : > --- > where "" varies, even with the same config being rebooted, and seems to > be either an interface name or "self". The error continues to recur with a > considerable "blocking" pause (up to 10's of seconds) each time it > (apparently) attempts a reload. > It sounds like something in 32 bit isn't happy with very large table sizes. Can't say we've tried large tables on 32 bit, nor do I know of others who have offhand. Where there is a need for large table sizes, you're almost always running 64 bit hardware and the 64 bit version. Is that not a 64 bit CPU? If it is, reinstalling with 64 bit and restoring your backup should be a quick, proven solution. If you wouldn't mind sharing your aliases, email that portion of your config to me off-list. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Suddenly getting pfi_table_update errors
I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 GB of memory that always shows <50% used. This setup has normally been reliable but, since upgrading to 2.1.5, today is the 4th time I've run into a problem after making changes to some aliases. For some reason that I've been unable to see much pattern to, pfSense will suddenly report a rash of errors similar to: --- [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - The line in question reads [0]: ] --- and/or an error indicating that it can't allocate memory (but there's over 50% reported as being available). When this happens, the following kind of error will occur during the reboot while first configuring the firewall ... --- pfi_table_update cannot set new addresses into table : --- where "" varies, even with the same config being rebooted, and seems to be either an interface name or "self". The error continues to recur with a considerable "blocking" pause (up to 10's of seconds) each time it (apparently) attempts a reload. I've handled this issue by restoring the most recently saved config.xml (I save these _very_ often, now!) and it's been "good to go" .. after which I can remake the changes and all has been good. However, today that strategy didn't work. After restoring the previously saved config.xml. which had been running without issues for about a day, the "pfi_table_update" problems remained after rebooting. Thinking it might be a disk-corruption and/or hardware issue, I built another system (with similar resources) and tested it. The same config fails in an equivalent way. QUESTION: Can anyone shed some light on how I might troubleshoot this issue? QUESTION: Does anyone know what's getting loaded when the message --- There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument - The line in question reads [0] --- is being issued? ... if I could see the rule that's giving the problem, maybe that'd lead somewhere useful. Other things I've done, without result ... Of course I asked Mr. Google and searched the pfSense bug tracker for pfi_table_update, all without results. I scanned the disk for an operation called pfi_table_update (find / -type f -exec fgrep -l pfi_table_update {} \;) but came up empty-handed so I assume this is not a php/pfSense routine. My first thought when it occurred was that the config.xml file had become corrupted, but I've never found any evidence of that. I've always compared the failed config to the successfully reverted config and found no clues (lately, since I save configs so often, there's only been 2 or 3 changes). The only thing that's been consistent is that the problem always "pops up" (literally!) after editing aliases and the rules are being reloaded. I'm always careful to change aliases in a way that works from the bottom of the dependencies "up" (when applicable) and, though I do have aliases that include other aliases, I doubt there's anything unusual in either structure or number of aliases I have configured (84 host/network aliases, 67 port aliases and 63 URL aliases). The only thing (related to the aliases) that may be unusual is that I have about 10 large URL tables (70K entries, each) and have things configured for 250 tables (currently <100) and 2,500,000 table entries (currently about 680K entries). It's the tables that consume memory, not states, in our case. Any ideas?#;-) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues
I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a separate network... all phones are OpenVPNing into pfSense box at datacenter... then using a phone system through the OpenVPN connection. The problematic location keeps having issues with phones not receiving calls or making calls... as well as call quality issues. Rebooting the phones solves the problems. The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)... as well as Auth/Decript errors (packet HMAC authentication failed). Logs are below. Can anyone shed some light on what might be happening here? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Problem allowing traffic from external OpenVPN clients to LAN systems
Hello, I'm using PfSense 2.1.4 on an Alix system with 3 networks, one WAN and two different LANs. On this PfSense box, I've setup two OpenVPN VPNs, in peer-to-peer mode with pre-shared keys, one with a TCP access, the other with more classical UDP. For these two VPNs, I have external clients (not running PfSense, but OpenVPN) which successfully connect to my PfSense box. From my system, located on a private LAN connected to one of the two PfSense's LAN interfaces (I'm using gateways to send back traffic to this private lan), I can access to Internet, and also to the client OpenVPN systems, and their private LANs as I added routes for this in the OpenVPN configuration. I would like now to access my system from these client OpenVPN systems, but it doesn't work now, and I don't understand why : I can do 'ping ', the ping get an answers, but if I try an SSH connection, I can't access to my local system from these client OpenVPN systems, and on the PfSense box, when looking in Firewall tab in Status->System logs, filtering on my private LAN address/port 22, I find the connection packets (TCP Syn) are blocked : Act TimeIf Source Destination Proto block Feb 17 12:29:14 ovpns2 10.0.9.2:42233 172.22.22.41:22 TCP:S When clicking on the 'block' icon, I get : The rule that triggered this action is: @5 block drop in log inet all label "Default deny rule IPv4" I've tried to allow any traffic from the OpenVPN networks in Firewall Rules without change. If I try also the 'Easy Rule' in System Logs/Firewall to add a rule to allow this connections, it doesn't change, the connections are still blocked :-( I didn't use named interface for OpenVPN servers, could it be helping for my problem ? If you have any advice, or need more information, please tell me ! With regards, Fred. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold